Intro to Web Application Security

Francis Al Victoriano iHostCodex, CEO Project-AG, Co-Founder OWASP Panay Chapter, President Panay Chapter, Director for Membership

The Web Apps Multimedia Email System Search Engine Online Banking Online Shopping Social Network

Typical Web Setup Client OS/Web Server Database Server PHP PERL PYTHON Apache IIS Nginx MariaDB PostgreSQL Request PHP PERL Client PYTHON OS/Web Server Database Server Response Custom Code

Simply, Web Application Security is... What is WebAppSec? Simply, Web Application Security is... “The securing of web applications”

Why we need Security?

Non-Stop Attacks

Key Focus Confidentiality Integrity Availability

Information Leakage or Lost Technical/Business Impact Compromised Information Leakage or Lost Reputational Damage Money Lost

98% of businesses have experienced a Web Application Attack in the Cost of Web Application Attacks Costs of technical support and responses to incidents $1,277,618 Costs from the disruption to normal operations $613,636 Losses in revenue due to customer-facing services being unavailable $538,745 Costs associated with lost user productivity $382,555 Costs of damage or theft of IT infrastructure & assests $374,655 TOTAL $3,137,209 98% of businesses have experienced a Web Application Attack in the last year

Essentials Terminologies Threat An action or event that has the potential to compromise and/or violate security Vulnerability A weakness (software,, hardware or procedural) that provides potential attackers with an unauthorized path into your environment. Exploit A defined way to breach the security of an IT system through vulnerability Countermeasures Mitigates a potential risk..

Common Web Vulnerabilities 1 Injection 2 Broken Authentication and Session Management 3 XSS (Cross Site Scripting) 4 Missing Function Level Access Control 5 Cross Site Request Forgery

Injection Injection Threat Impact Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. Threat Consider anyone who can send untrusted data to the system, including external users, internal users, and administrators. Impact Entire database can usually be read or modified, or denial of access. Injection can sometimes lead to complete host takeover.

SQL Injection Example SELECT user_id FROM user_data WHERE user_name = '' or 1=1 --' AND user_password = '1234'; // … String query = "SELECT user_id FROM user_data WHERE " + user_name = '" + req.getParameter("user") + "' AND user_password = '" + req.getParameter("password") +"'";

Prevent Injection Encode all user input before passing it to the interpreter. (White List Validation) Use an interface that supports bind variables Always minimize database privileges to reduce the impact of a flaw

Impact Broken Authentication and Session Management Attacker uses leaks or flaws in the authentication or session management functions (e.g., exposed accounts, passwords, session IDs) to impersonate users. Threat Consider anonymous external attackers, as well as users with their own accounts, who may attempt to steal accounts from others. Impact User accounts compromised or user sessions hijacked

Broken Authentication Example 1 User sends credentials Custom Code Accounts Finance Administration Transactions Communication Knowledge Mgmt E-Commerce Bus. Functions www.boi.com?JSESSIONID=9FA1DB9EA... Site uses URL rewriting (i.e., put session in URL) 2 3 User clicks on a link to http://www.hacker.com in a forum Hacker checks referrer logs on www.hacker.com and finds user’s JSESSIONID 4 5 Hacker uses JSESSIONID and takes over victim’s account

Prevent Broken Authentication Meet all the requirements on OWASP ASVS Examine all the Authentication-Relation functions Strong efforts to avoid XSS Flaws which can steal the sessions id’s

XSS (Cross Site Scripting) XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. Threat Consider anyone who can send untrusted data to the system, including external users, internal users, and administrators.. Impact Attackers can execute scripts in a victim’s browser to hijack user sessions, deface web sites, insert hostile content, redirect users, hijack the user’s browser using malware, etc.

XSS Pattern Simple Patterns <SCRIPT>javascript:alert('XSS');</SCRIPT> <IMG SRC=javascript:alert('XSS')> <IFRAME SRC="javascript:alert('XSS');"></IFRAME>

Reflected XSS Browser Server Database Web Application URL Website HTML Bug! Web Application Victim Request Website Server Response

Subsequent Victim Request Persistent XSS URL Initial Request Browser Server Database HTML Bug! Web Application URL Subsequent Victim Request Website Server Response

Prevent XSS All user supplied input is properly escaped Perform White List Input Validation on user input Use Content Security Policy (CSP)

Missing Function Level Access Control Impact Attacker, who is an authorized system user, simply changes the URL or a parameter to a privileged function. Is access granted? Anonymous users could access private functions that aren’t protected. Threat Anyone with network access can send your application a request. Could anonymous users access private functionality or regular users a privileged function? Impact Such flaws allow attackers to access unauthorized functionality. Administrative functions are key targets for this type of attack.

Missing Function Level Access Control Explained 1 /user/getAccounts 2 He modifies it to another directory (role) /admin/getAccounts, or /manager/getAccounts 3 Attacker views more accounts than just their own

Prevent Missing Function Access Level Control Restrict access to authenticated users Enforce role based permission Whitelist your ip in administration panel

Cross Site Request Forgery (CSRF) A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. Threat Consider anyone who can load content into your users’ browsers, and thus force them to submit a request to your website. Impact Attackers can trick victims into performing any state changing operation the victim is authorized to perform, e.g., updating account details, making purchases , transfer funds, logout and even login.

Cross Site Request Forgery Explained GET / HTTP/1.1 Host: www.evil.org evil.org Browser bank.com Login Bug! Web App Web App Response HTTP/1.1 200 OK ... <html> <img src=“http://bank.com/transfer ?to=hacker&amount=1000$“/> </html> CSRF-Attack GET/transfer?to=hacker &amount=1000$ HTTP/1.1 Host: bank.com 1000$

Make sure your application has no XSS holes Prevent Cross Site Request Forgery Add a secret, not automatically submitted, token to all sensitive requests Make sure your application has no XSS holes Requiring the user to re-authenticate, or prove they are a user (e.g., via a CAPTCHA)

TIPS ON SECURING WEB APPLICATIONS

Define Secure Coding Standards Validate all input parameters to prevent attacks Sanitized application response HTTP trust issues Keep sensitive session values on the server to prevent client-side modification Use Encryption Session management Access restriction Build a centralised module for application auditing and reporting.

Identify the key security objectives. Identify all vulnerabilities. Performed Threat Modeling Identify the key security objectives. Create an overview of the application by itemising the important characteristics of that application Deconstruct the application to identify the features and modules that have a security impact, and that need to be evaluated. Identify all threats Identify all vulnerabilities.

Web Application Penetration Testing Testing and Quality Assurance Web Application Penetration Testing Code Review

Design Web Application Security Architecture Secured Web Server Secured Application Server Secured Database Server

The Maintenance & Support Application Log Review Version Control and a Separate Environment for Development

Web Application Firewall (WAF) Network Security Server Sometimes rejects legitimate requests („False Positives“) or fails to recognize illegal requests („False Negative“) Firewall IDS/IPS WAF Web App Guidelines Ruleset Whitelist Blacklist Heuristics Defines legal/ illegal Requests Rejects illegal requests

Reminders! 1. Client Side Protection Don’t trust client’s input (Validate all inputs) Encode all user supplied input 2. Server Side Protection White List Validation (Server Side Code) Use Web Application Firewall 3. User Follow all the security hardening guide Test you system

What next for Developers? Application Security Requirements Application Security Architecture Standard Security Controls Secure Development Lifecycle Application Security Education OWASP ASVS OWASP Education Project OWASP Developer’s Guide, Prevention Cheat Sheets OWASP Software Assurance Maturity Model (SAMM). OWASP Enterprise Security API (ESAPI) project

Contact US francis.victoriano@owasp.org info@project-ag.org francis@ihostcodex.com faavictoriano@capsu.edu.ph Visit our site www.owasp.org www.project-ag.org

Thank You